Acer Control Center Flaw Lets Attackers Run Malicious Code as Elevated User
A critical security flaw (CVE-2025-5491) in Acer ControlCenter allows remote attackers to execute arbitrary code with NT AUTHORITYSYSTEM privileges via a misconfigured Windows Named Pipe.
The vulnerability, rated 8.8 on the CVSS scale, stems from insecure permissions on a custom protocol pipe exposed by the ACCSvc.exe service.
Acer has released patched versions (4.00.3058+) to address the issue.
Technical Analysis
The ACCSvc.exe service, running with SYSTEM privileges, creates a Windows Named Pipe (\.pipeACCsvcPipe) to facilitate inter-process communication.
Named pipes are kernel objects that enable data transfer between processes, but their security depends on properly configured access control lists (ACLs).
In this case, the pipe’s ACL granted Read/Write access to unauthenticated users, violating Microsoft’s security guidelines.
cpp// Simplified example of vulnerable pipe creation (hypothetical)
HANDLE hPipe = CreateNamedPipe(
L"\\.\pipe\ACCsvcPipe",
PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE | PIPE_WAIT,
PIPE_UNLIMITED_INSTANCES,
4096,
4096,
0,
NULL // Default DACL allows Everyone access
);
Attackers exploit this misconfiguration by sending crafted requests to the pipe, leveraging a service feature designed to execute predefined binaries.
However, due to insufficient input validation, arbitrary executables can be triggered with SYSTEM privileges.
Impact and Attack Scope
| Metric | Details |
|---|---|
| Affected Versions | Acer ControlCenter 4.00.3000 – 4.00.3056 |
| Patched Versions | 4.00.3058+ |
| Exploit Complexity | Low (no authentication required) |
| Privilege Escalation | Local user → SYSTEM |
| Remote Exploitation | Yes (via network-accessible pipes) |
This vulnerability is particularly dangerous in networked environments, as attackers can remotely compromise systems using tools PsExec to interact with the pipe.
Successful exploitation enables full system control, including malware deployment, data exfiltration, and lateral movement.
Mitigation and Best Practices
Acer has addressed the issue by:
- Restricting pipe permissions to LocalSystem and Administrators only.
- Implementing command validation to block unauthorized executable paths.
Recommended Actions:
- Update to ControlCenter 4.00.3058 via the Acer Drivers Portal.
- Audit named pipe permissions using PowerShell:
powershellGet-ChildItem \.pipe | ForEach-Object {
Get-Acl -Path $_.FullName | Where-Object { $_.AccessToString -match "Everyone" }
}
- Enforce the principle of least privilege for services interacting with inter-process communication mechanisms.
Historical Context
This flaw follows a pattern of privilege escalation vulnerabilities in Acer software:
- CVE-2022-24285 (2022): A Similar named pipe misconfiguration in Acer Care Center.
- CVE-2021-45975 (2021): Service permission flaw allowing local escalation.
These recurring issues highlight the importance of secure defaults for IPC mechanisms in vendor-supplied utilities.
CVE-2025-5491 underscores the risks of improperly configured named pipes in privileged services.
Organizations using Acer devices should prioritize patching and review all service-exposed interfaces for excessive permissions.
As attackers increasingly abuse legitimate Windows features like named pipes for lateral movement, proactive hardening of system components remains critical.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
Source link
